Ubuntu
samba package

An extra 'executable' bit is seen when POSIX ACL is used by Samba

Bug #146367 reported by Laurynas Butkus
6
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Invalid
Wishlist
Ubuntu Server

Bug Description

Binary package hint: samba

It happens on Feisty server with latest security updates.

I'm using POSIX acl's to force some groups permissions. On server filesystem everything works fine. I share this folder with Samba.

Problem occures when I mount this folder from the client as 'cifs' filesystem. New files created by the client are becoming automatically executable (they shouldn't).

There is a patch in the Samba mailinglist:
http://lists.samba.org/archive/samba-technical/2006-September/049397.html

I have rebuilt ubuntu samba deb with this patch applied - PROBLEM SOLVED.

This fix is important because I couldn't find any other way to use ACL on network filesystem in Ubuntu. NFS ACLs are disabled in default Feisty kernel.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report!

Has this patch been taken by upstream? (If not, why?) Note the "corrected" patch is here:

http://lists.samba.org/archive/samba-technical/2006-September/049398.html

Changed in samba:
assignee: nobody → ubuntu-server
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Laurynas Butkus (laurynas-butkus) wrote :

It seems that it was not included into samba fixes. I have also added comment to:
https://bugzilla.samba.org/show_bug.cgi?id=4268

Actually after further investigations, samba it looks like samba still calculates posix acls a bit differently from native system.

This patch solved my problem with executables, but I still get some unexpected permissions (I can live with them...). Maybe someone who really knows how POSIX acls works, could have a look at samba posix acl handling.

And sorry, I put incorrect link to the patch. I used corrected version.

Revision history for this message
Paul Dufresne (paulduf) wrote :

Thanks for this bug report.
As this was reported a long time ago, we would like to know: Is it still an issue for you?
If so, could you give an exemple of acl permissions that generate this problem.

Changed in samba:
status: Confirmed → Incomplete
Revision history for this message
Pedro Villavicencio (pedro) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again!.

Changed in samba (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Dane Mutters (dmutters) wrote :

Sorry to revive an old bug, but I've recently run into this problem. Using the following in smb.conf, when I create a file as a remote user, the Owner's permissions are always set to executable on files (rwxrw-rw-), whereas they should be rw-rw-rw-.

[DnD Public]
path = "/mnt/PERSONAL/Dane/RPGs/DnD Public"
comment = Players can put stuff in here
writeable = yes
guest ok = yes
guest only = yes
force create mode = 0666
force directory mode = 0777

I've tried it with "force user = dane" in there (since that's my local login, which is set-up in samba's database), but keep getting the same result. Since this is a security problem, depending on the context, and since there's already a patch released upstream, at the link above, I was hoping this could get fixed in a security release sometime soon. (The patch was posted to that page in 2006--if this is, indeed, the same bug.)

I might end up patching and compiling Samba, myself, but I'd really rather not dump a pile of "make install" into my filesystem tree (and that wouldn't fix the bug in the repository, besides).

Thanks for reading.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.